b"   December 7, 2005\n\n\n\n\nFinancial Management\n\nDefense Finance and Accounting\nService Corporate Database User\nAccess Controls\n(D-2006-033)\n\n\n\n\n                  Department of Defense\n                 Office of Inspector General\n\n                                   Constitution of\n                                  the United States\n\n     A Regular Statement of Account of the Receipts and Expenditures of all public\n     Money shall be published from time to time.\n                                                             Article I, Section 9\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit, Audit Followup and Technical Support at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact Audit Followup and\n  Technical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\n  Ideas and requests can also be mailed to:\n\n                    ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                      Department of Defense Inspector General\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nACL                   Access Control List\nBEIS                  Business Enterprise Information Services\nCEFT                  Corporate Electronic Funds Transfer\nDCD                   Defense Finance and Accounting Service Corporate Database\nDCII                  Defense Finance and Accounting Service Corporate Information\n                       Infrastructure\nDFAS                  Defense Finance and Accounting Service\n\x0c                            INSPECTOR GENERAL\n                            DEPARTMENT OF DEFENSE\n                              400 ARMY NAVY DRIVE\n                         ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n                                                                      December 7,2005\nMEMORANDUM FOR DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                 SERVICE\nSUBJECT: Report on Defense Finance and Accounting Service Corporate Database User\n         Access Controls (Report No. D-2006-033)\n\n       We are providing this report for your information and use. We considered\nmanagement comments on a draft of this report in preparing the final report. The\ncomments conformed to the requirements of DoD Directive 7650.3 and left no\nunresolved issues. Therefore, no additional comments are required.\n       We appreciate the courtesies extended to the staff. Questions should be directed\nto Mr. Carmelo G. Ventimiglia at (317) 510-3855 (DSN 699-3855) or Mr. Jack L.\nArmstrong at (3 17) 5 10-3846 (DSN 699-3846). For the report distribution, see\nAppendix B. The team members are listed inside the back cover.\n                               By direction of the Deputy Inspector General for Auditing:\n\n\n\n\n                                      kssistant inspector General\n                                      Defense Financial Auditing\n                                                Service\n\x0c                Department of Defense Office of Inspector General\nReport No. D-2006-033                                                   December 7, 2005\n   (Project No. D2005-D000FI-0052.000)\n\n       Defense Finance and Accounting Service Corporate Database\n                          User Access Controls\n\n                                  Executive Summary\n\nWho Should Read This Report and Why? This report should be read by all Defense\nFinance and Accounting Service (DFAS) personnel with information assurance\nresponsibilities and by all personnel assigned to the DFAS Corporate Database Project\nManagement Office. The report identifies an internal control weakness involving the\nDFAS Corporate Database and suggests methods for improving user access security.\n\nBackground. This is the first in a series of reports related to our audit of the compilation\nprocess for financial reporting for the Army General Fund. It discusses the internal\ncontrols over DFAS Corporate Database user access. The DFAS Corporate Database\nwill process accounting and financial information for various DoD Components. DFAS\nplanned to start using the DFAS Corporate Database to process information for the\ncompilation of the FY 2005 Army General Fund financial reports. However, a problem\nwith establishing beginning account balances has caused system implementation to slip\ninto FY 2006.\n\nData within the DFAS Corporate Database are segregated into various database tables. A\ndatabase table is a single store of related information. Information assurance personnel\nassign user access roles that limit users\xe2\x80\x99 access to the database tables and system\ncapabilities. For instance, users can be assigned database view and edit (write and delete\ninformation) capabilities. As of April 15, 2005, there were 2,323 user accounts that\ncould access data stored in the DFAS Corporate Database tables. The user accounts were\nassigned by DFAS business or operational areas. Vender Pay Services, Travel Pay\nServices, and Army Accounting Services are the three business areas that use the\nCorporate Electronic Funds Transfer and Army accounting database tables. These\ndatabase tables contain information regarding DoD financial transactions, including\nsensitive financial and tax information for 339,000 DoD contractors and 3.5 million DoD\nemployees.\n\nResults. DFAS internal controls over access to corporate electronic funds transfer and\nArmy accounting data processed by the DFAS Corporate Database were not adequate.\nSpecifically:\n\n       \xe2\x80\xa2   inactive user accounts were not deactivated when DFAS Corporate Database\n           access was no longer needed, and\n\n       \xe2\x80\xa2   users were assigned edit capability although they did not need it to perform\n           their duties.\n\nAs a result, the risk of misuse of sensitive information, such as bank routing and account\nnumbers, was increased. The Director of DFAS should revise the \xe2\x80\x9cSystem Access\n\x0cControl Policy and Standard Operating Procedures for DFAS Acquisition Management\nOrganization\xe2\x80\x9d to require that functional information owners and supervisors certify that\nthe monthly access control list has been reviewed and used to identify and deactivate\ninactive user accounts.\n\nThe Director should also require that functional information owners forward the\ncertifications to the Business Enterprise Information System Production Support Office\nand review job responsibilities to ensure that user access to the DFAS Corporate\nDatabase is appropriately limited. In addition, the Director should require that user\naccess to the DFAS Corporate Database be reported as a material internal control\nweakness until corrective actions have been taken and verified. (See the Finding section\nof the report for the detailed recommendations.)\n\nManagement Comments. The Component Acquisition Executive of Defense Finance\nand Accounting Service concurred with the recommendations and stated that the next\nversion of the \xe2\x80\x9cSystem Access Control Policy and Standard Operating Procedures for\nDFAS Acquisition Management Organization\xe2\x80\x9d will require that functional information\nowners and supervisors certify the review of the monthly access control list. Functional\ninformation owners will also be required to forward the list to the Business Enterprise\nInformation Services Production Support Office and maintain electronic evidence of the\ncertification. He also stated that functional information owners will be directed to\nperform a one-time review of all job responsibilities, and DFAS will validate compliance\nwith user access controls during preparation of the FY 2006 Annual Statement of\nAssurance. (See the Finding section of the report for a discussion of management\ncomments and the Management Comments section of the report for the complete text of\nthe comments.)\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                              i\n\nBackground                                    1\n\nObjective                                     3\n\nManagers\xe2\x80\x99 Internal Control Program            3\n\nFinding\n     System User Access Controls              4\n\nAppendixes\n     A. Scope and Methodology                  9\n         Prior Coverage                       10\n     B. Report Distribution                   11\n\nManagement Comments\n     Defense Finance and Accounting Service   13\n\x0cBackground\n          This is the first in a series of reports related to the audit of the compilation process\n          for financial reporting for the Army General Fund. This report addresses access\n          authorization to Defense Finance and Accounting Service (DFAS) Corporate\n          Database (DCD). DCD is one of the systems that DFAS plans to use for\n          compiling Army General Fund budget reports and financial statements. DFAS\n          initially planned to use DCD to process information for the compilation of the\n          FY 2005 Army General Fund financial reports. However, a problem with\n          establishing beginning account balances caused the implementation to slip into\n          FY 2006.\n\n          Department of Defense Business Enterprise Information Services. DCD is\n          part of the DoD Business Enterprise Information Services (BEIS), which builds\n          upon existing infrastructure to provide timely, accurate, and reliable business\n          information from across DoD to support auditable financial statements. BEIS\n          replaces the DFAS Corporate Information Infrastructure (DCII). DCII was the\n          initial DFAS attempt to consolidate finance and accounting into a single,\n          integrated financial management system.\n\n          The DCD Project Management Office is responsible for developing DCD. When\n          fully implemented, DCD will make DoD Component accounting and finance\n          information available to multiple users and applications at the same time.\n          Approximately 80 percent of the financial information processed in DCD will\n          originate from feeder systems, 1 and the remainder will originate from DFAS\n          systems. DCD will eliminate multiple databases and the inefficiencies and\n          reconciliation processes that can result when data are passed back and forth\n          between information systems.\n\n          System Access Administration. Data within DCD are segregated into various\n          database tables. A database table is a single store of related information. DCD\n          information assurance personnel use Oracle internal role-based security to control\n          user access to the database tables. DCD information assurance personnel assign\n          user access roles that limit users\xe2\x80\x99access to the database tables and functions.\n          Users' roles are associated with job responsibilities that are contained in the job\n          responsibility matrix. For example, the \xe2\x80\x9cGET_AY_GEN_FUND\xe2\x80\x9d database role\n          is associated with the Army General Fund job responsibility. The Army General\n          Fund job responsibility provides access to specific database tables and functional\n          capabilities to edit (write and delete information) the data contained in those\n          tables. The April 26, 2005, job responsibility matrix had 65 job responsibilities.\n          Users can be assigned database view and edit capabilities. User access should be\n          restricted to the minimum necessary to conduct business.\n\n          As of April 15, 2005, there were 2,323 user accounts that could access data stored\n          in the DCD database tables. The user accounts were assigned by DFAS business\n\n1\n    Feeder systems are information systems, such as Standard Finance System and Standard Operation\n    Maintenance Army Research and Development System, which transfer accounting data into DCD from\n    field accounting activities.\n\n\n\n                                                  1\n\x0c           or operational areas. Vender Pay Services, Travel Pay Services, and Army\n           Accounting Services are the business areas that use the corporate electronic funds\n           transfer (CEFT) and Army accounting database tables. As of April 15, 2005,\n           2,271 user accounts had access to CEFT and Army accounting database tables.\n\n           Information Assurance Policy. DoD Instruction 8500.2, \xe2\x80\x9cInformation\n           Assurance (IA) Implementation,\xe2\x80\x9d February 6, 2003, implements policy, assigns\n           responsibilities, and prescribes procedures for the protection of DoD information\n           systems. DoD Instruction 8500.2 requires that information assurance personnel\n           establish and manage authorized user accounts for DoD information systems.\n           This requirement includes deactivating user accounts when the user no longer\n           needs access to DoD information systems.\n\n           \xe2\x80\x9cSystem Access Control Policy and Standard Operating Procedures for DFAS\n           Corporate Information Infrastructure,\xe2\x80\x9d November 2003, (DFAS policy) 2\n           implements DoD Instruction 8500.2 and provides instructions for managing\n           system access for DCD. DFAS supervisors, functional information owners, 3 and\n           the BEIS Production Support Office 4 personnel have responsibilities for\n           controlling user access to DCD. The DFAS policy requires the following.\n\n                   \xe2\x80\xa2    User access will be limited to those who need to know and limited to\n                        information needed to perform assigned duties.\n\n                   \xe2\x80\xa2    The BEIS Production Support Office will maintain an access control\n                        list (ACL) of all user accounts to include the user\xe2\x80\x99s full name, the\n                        assigned database role, and the date the system was last accessed, and\n                        provide the ACL to the functional information owners and terminal\n                        access security officers.\n\n                   \xe2\x80\xa2    Functional information owners, who serve as the data stewards for the\n                        information in DCD that directly supports their business operations,\n                        will approve new users and identify the appropriate database roles\n                        assigned to each user. Functional information owners are also\n                        responsible for auditing user accounts against assigned roles.\n\n                   \xe2\x80\xa2    DFAS supervisors will review the ACL to ensure departed personnel\n                        have been removed and to account for each name within their division.\n\n                   \xe2\x80\xa2    Terminal area security officers, who serve as the focal points for local\n                        terminal security matters, along with the functional information\n                        owners, will notify the BEIS Production Support Office to terminate a\n                        user\xe2\x80\x99s account immediately upon the user\xe2\x80\x99s retirement, departure, or\n                        promotion.\n\n\n\n2\n    Superseded by DFAS \xe2\x80\x9cSystem Access Control Policy and Standard Operating Procedures for DFAS\n    Acquisition Management Organization,\xe2\x80\x9d July 21, 2005.\n3\n    Functional information owners were previously known as functional data owners.\n4\n    The BEIS Production Support Office was previously known as the DCII Production Support Office.\n\n\n\n                                                     2\n\x0cObjective\n    The overall audit objective was to determine whether the internal controls over\n    the financial information processed by DCD and the Defense Departmental\n    Reporting System-Budgetary were adequate for Army General Fund financial\n    reporting. This report discusses the internal controls over user access to DCD and\n    includes the results of our review of the Management Control Program as it\n    relates to user access to DCD. We plan to issue another report addressing the\n    overall control environment of DCD and the Defense Departmental Reporting\n    System-Budgetary. See Appendix A for a discussion of the scope and\n    methodology and for prior coverage related to the objective.\n\n\nManagers\xe2\x80\x99 Internal Control Program\n    We identified a material internal control weakness for DFAS as defined by\n    DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program Procedures,\xe2\x80\x9d\n    August 28, 1996. DFAS internal controls were not adequate to ensure that\n    information assurance personnel deactivated user accounts when DCD access was\n    no longer required. Recommendations 1. and 2., when implemented, will correct\n    the identified weaknesses and result in improved access controls over sensitive\n    DCD data. In addition, the DCD Project Management Office did not identify user\n    access as an internal control weakness in its FY 2005 Annual Statement of\n    Assurance dated June 14, 2005. The Finding section of this report discusses the\n    details of the internal control weakness and the adequacy of management\xe2\x80\x99s self-\n    evaluation process. A copy of the report will be provided to the senior official\n    responsible for the Internal Control Program at DFAS.\n\n\n\n\n                                        3\n\x0c           System User Access Controls\n           DFAS internal controls over access were not adequate to protect CEFT\n           and Army accounting data processed in DCD. Specifically:\n\n                  \xe2\x80\xa2     terminal area support officers and functional information\n                        owners did not notify the BEIS Production Support Office to\n                        deactivate inactive user accounts when DCD access was no\n                        longer needed, and\n\n                  \xe2\x80\xa2     functional information owners assigned edit capability to users\n                        who did not need it to perform their duties.\n\n           This occurred because procedures used for controlling access to the DCD\n           did not ensure that DFAS personnel complied with DoD information\n           assurance requirements and DFAS policy. As a result, the lack of\n           adequate controls increased the risk of misuse of sensitive information,\n           such as bank routing and account numbers.\n\n\nInactive User Accounts\n    Unneeded User Accounts. DCD information assurance personnel did not follow\n    DFAS policy to deactivate user accounts with access to DCD CEFT and Army\n    accounting data when users no longer needed access. Of the 2,271 user accounts\n    on the CEFT and Army accounting ACLs, 585 (25.8 percent) had not accessed\n    DCD since December 31, 2004. Of the 585 inactive user accounts, we\n    judgmentally sampled 214 user accounts for current or former DFAS personnel.\n    The following table shows the results of our validation of the need for those 214\n    users to access DCD.\n\n\n\n                         Table. Validation of DFAS User Accounts\n\n                                         CEFT      Army         Total     Percentage\n            Determination                         Accountin                of Total\n                                                     g\n        No longer DFAS employees          19           9          28         13.1\n\n        Required access                   26          17          43         20.1\n\n        No longer required access         41          46          87         40.7\n\n        Did not respond to inquiries      38          18          56         26.1\n                      Total               124         90         214         100.0\n\n\n\n                                          4\n\x0cDFAS Human Resources personnel determined that 28 of the 214 personnel with\ninactive user accounts either no longer worked at DFAS or were taking extended\nleave without pay. We attempted to contact the remaining 186 DFAS personnel\nwith inactive user accounts to determine if they still needed DCD access. Of the\n186 users, 43 responded that they still needed access, while 87 responded that\nthey no longer needed access. The remaining 56 personnel did not respond to our\ninquiries. A total of 115 (87 who no longer required access plus 28 who are no\nlonger active DFAS employees) user accounts remained active longer than\nnecessary. Of these 115 user accounts, 61 (6-CEFT and 55-Army accounting)\nhad the ability to edit data.\n\nDeactivation Procedures. DFAS needs to improve its internal controls to ensure\nthat inactive user accounts are promptly deactivated and monthly ACLs are\nroutinely provided to DFAS supervisors and functional information owners as\nrequired by DFAS policy. DFAS policy did not contain sufficient controls to\nensure that information assurance personnel took appropriate action to deactivate\ninactive user accounts.\n\n        Deactivating Inactive User Accounts. The CEFT functional information\nowner did not correctly deactivate inactive user accounts. Rather than request the\nBEIS Production Support Office to deactivate unneeded user accounts, the CEFT\nfunctional information owner removed all permissions except the \xe2\x80\x9cDCII User\xe2\x80\x9d\nrole. The CEFT functional information owner stated that it was easier to\nreactivate access to DCD if the \xe2\x80\x9cDCII User\xe2\x80\x9d role was retained. However, the\nCEFT functional information owner was not aware that the \xe2\x80\x9cDCII User\xe2\x80\x9d role\nallowed users to view accounting data within the DCD database tables.\n\n        Access Control List. DFAS supervisors, functional information owners,\nand terminal area security officers did not always request that the BEIS\nProduction Support Office deactivate inactive user accounts. The information in\nthe table illustrates that DFAS personnel were not adequately following DFAS\npolicy to identify and request deactivation of inactive user accounts. A\ncontributing factor was that the BEIS Production Support Office did not provide a\nmonthly ACL to DFAS supervisors and functional information owners as\nrequired by DFAS policy. The CEFT functional information owner received an\nACL dated March 15, 2005, but had not received a list for the previous 6 months.\nOther functional information owners had not received monthly ACLs for at least\n1 year. Because the functional information owners and DFAS supervisors did not\nreceive the monthly ACLs, they did not have important information necessary to\nidentify and to deactivate inactive user accounts.\n\n        DFAS Deactivation Policy. DFAS did not establish sufficient controls to\nensure that information assurance personnel took appropriate action to deactivate\ninactive user accounts. Specifically, the DFAS policy did not require that:\n\n       \xe2\x80\xa2   supervisors and functional information owners certify that they\n           reviewed the monthly ACLs and requested that the BEIS Production\n           Support Office deactivate inactive user accounts,\n\n\n\n\n                                    5\n\x0c            \xe2\x80\xa2   supervisors and functional information owners provide the certified\n                monthly ACLs to the BEIS Production Support Office, and\n\n            \xe2\x80\xa2   the BEIS Production Support Office retain copies of the certified\n                ACLs.\n\n\nUser Edit Capabilities\n     The functional information owner assigned Army accounting users edit capability\n     that was not commensurate with their duties. The ACL dated April 15, 2005, had\n     482 users with Army General Fund job responsibility. Between April 17, and\n     August 11, 2005, the Army accounting functional information owner removed\n     edit capabilities for 464 of the users. One user had edit capability from\n     January 10, 2003. Of the 464 users, 403 had edit capability removed on May 10,\n     and May 11, 2005. Only 18 users were left with edit capabilities.\n\n     The Army accounting functional information owner did not ensure that users were\n     assigned edit responsibility in accordance with DFAS policy. DFAS should\n     perform a one-time review of all the job responsibilities for DCD to ensure that\n     edit capabilities are assigned only to those who need it to perform their duties.\n     The Army General Fund job responsibility is only 1 of the 65 job responsibilities\n     with access to Army accounting data in DCD.\n\n\nSystem Vulnerabilities\n     DCD access controls did not comply with DoD Instruction 8500.2, increasing the\n     risk that sensitive information would be misused. Unnecessary access to the\n     database tables provides users an opportunity to make unauthorized changes to\n     accounts and files, or to use sensitive information to perpetrate financial fraud or\n     other abuse. The DCD contains sensitive financial and tax information for\n     339,000 DoD contractors and 3.5 million DoD employees. Through DCD, users\n     have access to sensitive accounting data, and vendor and employee tax\n     identification numbers, bank routing and account numbers, names, addresses, and\n     phone numbers.\n\n\nManagement Actions\n     On July 21, 2005, DFAS issued revised policy on access controls titled \xe2\x80\x9cDFAS\n     System Access Control Policy and Standard Operating Procedures for DFAS\n     Acquisition Management Organization.\xe2\x80\x9d The revised policy addresses controls\n     for all DFAS-owned financial management systems. The policy did not include\n     our recommendation that functional information owners and supervisors certify\n     that the monthly ACL has been reviewed and that they forward the certifications\n     to the BEIS Production Support Office. In addition, the revised policy did not\n     require that the BEIS Production Support Office retain evidence of certifications.\n\n\n                                          6\n\x0c    On May 20, 2005, the DCD Project Management Office initiated a system change\n    request, titled \xe2\x80\x9cCSF IA Policy Deactivate Users Inactive for 120 Days,\xe2\x80\x9d for DCD\n    that will improve user access controls. The DCD will be reprogrammed to\n    automatically notify functional information owners when user accounts have not\n    been used for 60 days. If the account remains inactive for a total of 90 days, the\n    system will automatically deactivate the user account. The DCD Project\n    Management Office originally planned to execute the system change request in\n    July 2005; however, the system change request was implemented\n    September 19, 2005.\n\n    We provided the CEFT functional information owner with the names of\n    employees who had departed DFAS or had been reassigned. The BEIS\n    Production Support Office deactivated those inactive user accounts.\n\n\nAdequacy of Management\xe2\x80\x99s Self-Evaluation\n    The FY 2005 self-evaluation of internal controls prepared by the DCD Project\n    Management Office did not identify and report DCD user access as an internal\n    control weakness. The DCD Project Management Office had been identified as\n    the assessable unit; however, DCD access controls had not been assessed since\n    July 2003, when the management self-evaluation was first prepared. At that time,\n    DCD was still in the system development test phase and the internal controls were\n    being initially established. The DCD Project Management Office has included an\n    assessment of internal controls over DCD access in its FY 2005 self-evaluation;\n    however, it did not report DCD access as a material internal control weakness in\n    its FY 2005 Annual Statement of Assurance. The June 14, 2005, transmittal\n    memorandum stated that the evaluation did not identify any material weaknesses\n    although the self-evaluation indicated that the system change would not be\n    implemented until September 2005.\n\n    The DCD Project Management Office has responsibility for reporting DCD user\n    access as a material weakness because it is identified as the assessable unit.\n    However, the DCD Project Management Office does not have the authority to\n    ensure that DFAS supervisors and functional information owners comply with\n    user access policy because this is a DFAS management issue. Until the\n    recommendations in this report have been implemented and the internal control\n    weakness has been corrected, DFAS should report DCD access as a material\n    internal control weakness in the Annual Statement of Assurance.\n\n\n\n\n                                        7\n\x0cRecommendations, Management Comments, and Audit\n  Response\n    We recommend that the Director of Defense Finance and Accounting\n    Service:\n\n    1. Revise the \xe2\x80\x9cSystem Access Control Policy and Standard Operating\n    Procedures for DFAS Acquisition Management Organization\xe2\x80\x9d to require\n    that:\n\n           a. Functional information owners and supervisors certify that the\n    monthly access control list has been reviewed and that action has been taken\n    to deactivate user accounts no longer needed.\n          b. Functional information owners forward the certifications to the\n    Business Enterprise Information Services Production Support Office.\n\n           c. The Business Enterprise Information Services Production Support\n    Office maintains evidence of the certifications.\n\n    Management Comments. The Component Acquisition Executive at DFAS\n    concurred and stated that DFAS will revise procedures to require that functional\n    information owners certify that they have reviewed the monthly access control\n    list, forward certifications to the Production Support Office, and maintain\n    evidence of the certifications.\n\n    Audit Response. The DFAS comments are responsive. The updated procedures\n    will require functional information owners, instead of the BEIS Production\n    Support Office, to maintain electronic evidence of certifications. This action\n    meets the intent of the recommendation.\n\n    2. Require that the functional information owners perform a one-time\n    review of all job responsibilities to ensure that user access is restricted to the\n    minimum necessary to conduct business.\n    Management Comments. The Component Acquisition Executive at DFAS\n    concurred and stated that functional information owners will be directed to\n    perform a one-time review of all job responsibilities to ensure that user access is\n    restricted to the minimum necessary to conduct business.\n\n    3. Report user access to the Defense Finance and Accounting Service\n    Corporate Database as a material internal control weakness in the Annual\n    Statement of Assurance until Recommendations 1. and 2. have been\n    implemented and it has been verified that the weakness has been corrected.\n\n    Management Comments. The Component Acquisition Executive at DFAS\n    concurred and stated that the actions taken in response to Recommendations 1.\n    and 2. have corrected the material internal control weakness. He stated that\n    DFAS will validate compliance with the recommendations during preparation of\n    the FY 2006 Annual Statement of Assurance.\n\n\n                                          8\n\x0cAppendix A. Scope and Methodology\n   We reviewed the internal controls for deactivating user accounts when the user no\n   longer needed to access DCD. We reviewed the CEFT ACL as of March 15,\n   2005, and the Army accounting ACL as of April 15, 2005. These two ACLs\n   listed 2,271 (97.8 percent) of the 2,323 total DCD user accounts as of\n   April 15, 2005, that could access the CEFT and Army accounting data. We\n   identified 585 users with access to the CEFT and Army accounting database\n   tables that had not accessed the DCD since December 31, 2004. Of these\n   585 users, we judgmentally sampled 214 current and former DFAS employees to\n   determine if they required access to the system. Of the 214 users, 186 had DFAS\n   email accounts. We attempted to contact the 186 users with DFAS email\n   accounts. For the 28 users without DFAS email accounts, DFAS Human\n   Resources personnel determined that 27 users were former DFAS employees and\n   1 user was on extended leave without pay.\n\n   We reviewed the Army General Fund job responsibility to determine if view and\n   edit capabilities were properly assigned to users. The Army General Fund job\n   responsibility was 1 of 65 reported on the April 26, 2005, Job Responsibility\n   Matrix. We selected Army General Fund job responsibility because it accounted\n   for 482 (88.3 percent) of the 546 user accounts with access to Army accounting\n   data as of April 15, 2005.\n\n   We also reviewed DFAS policies on information assurance and determined\n   whether DFAS procedures complied with DoD requirements. We also discussed\n   procedures for assigning access capabilities and identifying and deactivating\n   inactive user accounts with DFAS supervisors, BEIS Production Support Office\n   personnel, DCD Project Management Office personnel, and functional\n   information owners.\n\n   We performed this audit from October 2004 through September 2005 in\n   accordance with generally accepted government auditing standards.\n\n   Use of Computer-Processed Data. We relied on the CEFT and Army\n   accounting ACLs generated by BEIS Production Support Office to identify users\n   who had not accessed DCD since December 31, 2004. We used other information\n   to determine if personnel with inactive user accounts needed access to DCD.\n   Because we only relied on the computer-processed data to determine if inactive\n   user accounts existed, we did not perform detailed tests to confirm the reliability\n   of the computer-processed data. Nothing came to our attention as a result of\n   specific procedures that caused us to doubt the reliability of the computer-\n   processed data.\n   Management Control Program. DoD Directive 5010.38, \xe2\x80\x9cManagement Control\n   (MC) Program,\xe2\x80\x9d August 26, 1996, and DoD Instruction 5010.40, require DoD\n   organizations to implement a comprehensive system of management (internal)\n   controls that provides reasonable assurance that programs are operating as\n   intended and to evaluate the adequacy of the controls. We evaluated the DFAS\n   internal controls over user access to DCD. Specifically, we reviewed procedures\n\n\n\n                                        9\n\x0c      that DFAS used to assign access responsibilities to users and to deactivate users\n      who no longer required access to DCD. We also reviewed the adequacy of\n      management\xe2\x80\x99s self-evaluation of those controls.\n\n      Government Accountability Office High-Risk Area. The Government\n      Accountability Office (GAO) has identified several high-risk areas in DoD. This\n      report provides coverage of the Financial Management high-risk area.\n\n\nPrior Coverage\n      During the last 5 years, the GAO and the Department of Defense Inspector\n      General (DoD IG) have issued three reports discussing the DCD. Unrestricted\n      GAO reports can be accessed over the Internet at http://www.gao.gov.\n      Unrestricted DoD IG reports can be accessed at\n      http://www.dodig.mil/audit/reports.\n\nGAO\n      GAO-03-465, \xe2\x80\x9cDoD Business System Modernization, Continued Investment in\n      Key Accounting Systems Needs to be Justified,\xe2\x80\x9d March 28, 2003\n\nDoD IG\n      DoD IG Report No. D-2002-014, \xe2\x80\x9cDevelopment of Defense Finance and\n      Accounting Service Corporate Database and Other Financial Management\n      Systems,\xe2\x80\x9d November 7, 2001\n\n      DoD IG Report No. D-2001-030, \xe2\x80\x9cOversight of Defense Finance and Accounting\n      Service Corporate Database Development,\xe2\x80\x9d December 28, 2000\n\n\n\n\n                                          10\n\x0cAppendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nOther Defense Organization\nDirector, Defense Finance and Accounting Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\n\n\n\n                                          11\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member (cont\xe2\x80\x99d)\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\n\n\n\n\n                                        12\n\x0cDefense Finance and Accounting Service\nComments\n\n\n\n\n                      13\n\x0c14\n\x0c15\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nDefense Financial Auditing Service prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nPaul J. Granetto\nPatricia A. Marsh\nCarmelo G. Ventimiglia\nJack L. Armstrong\nMark A. Ives\nJohn T. Ferguson\n\x0c"